From matt at cs.hmc.edu  Thu Feb  3 00:57:06 2000
From: matt at cs.hmc.edu (Matt Schnaider)
Date: Thu, 3 Feb 2000 00:57:06 -0800 (PST)
Subject: Bro Question
Message-ID: <Pine.GSO.4.21.0002030052190.12143-100000@turing.cs.hmc.edu>

Hi,

I am a student a Harvey Mudd College and I am working with a research
clinic sponsored by the Aerospace Corporation.  I'm currently 
working on configuring Bro alpha 0.6 under Solaris 2.7.  When I start
running it, it appears to be working for a while, but eventually
(sometime between 25min and about a day) it runs away, takes up the whole
cpu on an Ultra Sparc 30 with 256 megs of RAM,  and never seems to write
to any of its logs again.  Please let me know if you can offer any
assistance.  Thank you in advance.

-Matt Schnaider

_._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._
Matthew J. Schnaider			East 121
Harvey Mudd College			x72006
340 E. Foothill Blvd.			Class of 2001
Claremont, CA 91711			Computer Science Department Staff

                    "You'll never shine if you don't glow."
._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._.



From vern at ee.lbl.gov  Thu Feb  3 23:07:49 2000
From: vern at ee.lbl.gov (Vern Paxson)
Date: Thu, 03 Feb 2000 23:07:49 PST
Subject: Bro Question 
In-Reply-To: Your message of Thu, 03 Feb 2000 00:57:06 PST.
Message-ID: <200002040707.XAA07599@daffy.ee.lbl.gov>

> I am a student a Harvey Mudd College and I am working with a research
> clinic sponsored by the Aerospace Corporation.  I'm currently 
> working on configuring Bro alpha 0.6 under Solaris 2.7.  When I start
> running it, it appears to be working for a while, but eventually
> (sometime between 25min and about a day) it runs away, takes up the whole
> cpu on an Ultra Sparc 30 with 256 megs of RAM,  and never seems to write
> to any of its logs again.

What volume traffic stream are you running it on, and with what tcpdump
filter?  The symptoms sound like it is running out of virtual memory and
starting to page-fault thrash.

		Vern


From matt at cs.hmc.edu  Fri Feb  4 01:36:57 2000
From: matt at cs.hmc.edu (Matt Schnaider)
Date: Fri, 4 Feb 2000 01:36:57 -0800 (PST)
Subject: Bro Question 
In-Reply-To: <200002040707.XAA07599@daffy.ee.lbl.gov>
Message-ID: <Pine.GSO.4.21.0002040007490.5866-100000@turing.cs.hmc.edu>

On Thu, 3 Feb 2000, Vern Paxson wrote:

> What volume traffic stream are you running it on, and with what tcpdump
> filter?  The symptoms sound like it is running out of virtual memory and
> starting to page-fault thrash.
> 
> 		Vern
> 

I'm using the suggested filter, i.e.:

./bro -f "((tcp[13] & 0x7 != 0) or \
 port telnet or tcp port 513 or port finger or port 111 or tcp port 113 or \
 port ftp or dst port 8000 or \
 (tcp and (ip[6:2] & 0x3fff != 0)))" \
 -i hme0 mt

Looking at the top stats for the system, top gives:

load averages:  1.00,  1.01,  1.01                                      00:15:11
22 processes:  20 sleeping, 1 running, 1 on cpu
CPU states:  0.0% idle, 99.8% user,  0.2% kernel,  0.0% iowait,  0.0% swap
Memory: 256M real, 76M free, 13M swap in use, 424M swap free

  PID USERNAME THR PRI NICE  SIZE   RES STATE   TIME    CPU COMMAND
 3172 root       1  40    0 4216K 3736K run    22.9H 99.51% bro
 3197 root       1  58    0 2152K 1488K cpu    14:05  0.25% top
  193 root       1  58    0 1872K  864K sleep   2:45  0.00% sshd1
    1 root       1  59    0 2232K  696K sleep   0:06  0.00% init

etc...

tcpdump is seeing between 250 and 2500 packets per second with no filter
depending on the time of day.  With the suggested filter, its see about
1-100 packets per second.  

-Matt

_._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._
Matthew J. Schnaider			East 121
Harvey Mudd College			x72006
340 E. Foothill Blvd.			Class of 2001
Claremont, CA 91711			Computer Science Department Staff

"For starters, what is an echo and what does it do? The echo program reads a 
 string and repeats it; think of the program as an automated liberal arts
 undergraduate student."

        -- Stephen Northcutt _Network Intrusion: An Analyst's Handbook_
._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._.







From vern at ee.lbl.gov  Fri Feb  4 08:48:52 2000
From: vern at ee.lbl.gov (Vern Paxson)
Date: Fri, 04 Feb 2000 08:48:52 PST
Subject: Bro Question 
In-Reply-To: Your message of Fri, 04 Feb 2000 01:36:57 PST.
Message-ID: <200002041648.IAA08191@daffy.ee.lbl.gov>

> I'm using the suggested filter, i.e.:
> 
> ./bro -f "((tcp[13] & 0x7 != 0) or \
>  port telnet or tcp port 513 or port finger or port 111 or tcp port 113 or \
>  port ftp or dst port 8000 or \
>  (tcp and (ip[6:2] & 0x3fff != 0)))" \
>  -i hme0 mt
> 
> Looking at the top stats for the system, top gives:
> 
> load averages:  1.00,  1.01,  1.01                                      00:15:11
> 22 processes:  20 sleeping, 1 running, 1 on cpu
> CPU states:  0.0% idle, 99.8% user,  0.2% kernel,  0.0% iowait,  0.0% swap
> Memory: 256M real, 76M free, 13M swap in use, 424M swap free
> 
>   PID USERNAME THR PRI NICE  SIZE   RES STATE   TIME    CPU COMMAND
>  3172 root       1  40    0 4216K 3736K run    22.9H 99.51% bro

Very strange.  The next thing to do is attach a debugger to it when it's
running and see where it is.  But you might also want to try the Bro
0.7a10 snapshot:

	ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a10.tar.gz

which may have already fixed the problem (there were some bugs in which
certain sequences of packets could make Bro loop or crash).  This is a
0.7 pre-release and so doesn't include discussion of what has changed,
so not really ready for general use, though others who want to play with
it now can go ahead and fetch it.  As usual, please don't redistribute it
further, instead point people at me for further copies.

		Vern


From vern at ee.lbl.gov  Sat Feb 26 23:21:56 2000
From: vern at ee.lbl.gov (Vern Paxson)
Date: Sat, 26 Feb 2000 23:21:56 PST
Subject: revised Bro paper now available
Message-ID: <200002270721.XAA24148@daffy.ee.lbl.gov>

FYI, a revised version of the Bro paper, which appears in Computer
Networks 31(23-24), Dec. 1999, is now available from:

        ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

It has a number of tweaks over the USENIX version, none major, but together
totalling a medium-grade revision.

                Vern


From trinhtuan at hn.vnn.vn  Mon Feb 28 18:47:07 2000
From: trinhtuan at hn.vnn.vn (Trinh Anh Tuan)
Date: Tue, 29 Feb 2000 09:47:07 +0700
Subject: About Bro documentation !
Message-ID: <000f01bf825f$73de0f60$051a19ac@cfti.edu.vn>

Hello Bro's users,

I got a copy of Bro, vp-bro-0-6-alpha_tar, (I don't know is there a newer
version now?), few weeks ago but till now I have time to read it's source
code. Bro is well structured, and if we make a detailed documentation for
it, Bro will be very nice to users and who wants to develop it. So, at
first, I start drawing it's "Class-relations Scheme", which will describes
the relations between Bro's classes. Is there any one did it? If "yes",
please notice me !


PS: Please, fogive my terrible English !



From vern at ee.lbl.gov  Tue Feb 29 02:36:19 2000
From: vern at ee.lbl.gov (Vern Paxson)
Date: Tue, 29 Feb 2000 02:36:19 PST
Subject: About Bro documentation !
In-Reply-To: Your message of Tue, 29 Feb 2000 09:47:07 PST.
Message-ID: <200002291036.CAA02774@daffy.ee.lbl.gov>

> I got a copy of Bro, vp-bro-0-6-alpha_tar, (I don't know is there a newer
> version now?)

There isn't a newer version yet, though I hope to put out 0.7 within a
month or so.

> So, at
> first, I start drawing it's "Class-relations Scheme", which will describes
> the relations between Bro's classes. Is there any one did it?

I don't know of anyone doing this, and it would certainly be handy to have!

		Vern